8Base

8Base is a financially motivated ransomware operation active since at least 2022, publicly unveiled in May 2023, and widely described as highly active from mid-2023 into 2024. The group is linked in the provided content to the Phobos ransomware ecosystem and is described as an operator or affiliate user of Phobos ransomware, including a customized variant that appends the ".8base" extension to encrypted files and slightly modifies standard Phobos ransom notes. The content also describes 8Base as using double-extortion tactics, with victim disclosures central to its strategy via Tor-based leak sites and at times mirrored through surface-web infrastructure. Its leak-site workflow included staged disclosure, Telegram-based victim negotiation, and outreach to journalists. The group primarily targeted small and medium-sized organizations worldwide, with the content specifically noting victims concentrated in Western countries and sectors including finance, manufacturing, healthcare, and a broad range of other industries. Reported victims or claimed victims in the provided content include the UN Development Programme, the UN International Civil Aviation Organization recruitment database, the Atlantic States Marine Fisheries Commission, and a Canadian agency administering dental benefit plans for disabled people in Alberta. The content ties 8Base closely to Phobos tradecraft and infrastructure. Phobos/8Base activity is described as commonly gaining access via exposed or compromised RDP, phishing, brute force, initial access brokers, and SmokeLoader. During intrusions, 8Base is reported to use SmokeLoader for obfuscation, unpacking, and loading of Phobos ransomware, and SystemBC as a SOCKS5 proxy or RAT to conceal command-and-control traffic, execute commands, deploy payloads, or exfiltrate data. The content also states that Phobos and 8Base disabled security tools, deleted backups, modified registry entries, and in some reporting modified firewall rules to evade detection and maintain access. The provided reporting indicates that 8Base likely did not operate as a fully independent stack. Malware hashes and infrastructure associated with 8Base overlapped with ALPHV, BianLian, Knight, and Play, and the content concludes that 8Base likely operated within a shared-backend ransomware ecosystem rather than as a fully independent group. The content also notes historical public links between access sold by the initial access broker KongTuke/Woodgnat and ransomware crews including 8Base, alongside Qilin, Interlock, Rhysida, Akira, and Black Basta. Operationally, 8Base maintained rotating onion infrastructure, Telegram channels, and a temporary surface-web presence. One report cited 459 recorded victims between May 2023 and February 2025, with the last recorded victim dated 1 February 2025. Multiple sources in the content describe the brand as disrupted, dormant, or fragmented following international law-enforcement action in February 2025, including seizure of its leak site and arrests tied to Operation Aether. Known aliases or related designations directly mentioned in the content include 8base and association with Phobos; one source also states the group used a leak site called "Space Bears."